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DEPARTMENT  OF  DEFENSE 

4800  MARK  CENTER  DRIVE 
ALEXANDRIA.  VIRGINIA  22350-1500 


September  28,  2012 


MEMORANDUM  FOR  COMMANDER,  U.S.  TRANSPORTATION  COMMAND 

ASSISTANT  SECRETARY  OF  THE  AIR  FORCE  (FINANCIAL 
MANAGEMENT  AND  COMPTROLLER) 


SUBJECT:  An  Unreliable  Chart  of  Accounts  Affected  Auditability  of  Defense  Enterprise 
Accounting  and  Management  System  Financial  Data 
(Report  No.  DODIG-2012-140) 

We  are  providing  this  report  for  your  information  and  use.  Unless  the  deficiencies  identified  in 
this  report  are  corrected,  the  Defense  Enterprise  Accounting  and  Management  System’s  data 
reliability  problems  will  likely  impair  DoD  and  U.S.  Air  Force  abilities  to  meet  their 
FY  20 1 4  and  FY  20 1 7  audit  readiness  goals. 

We  considered  management  comments  on  a  draft  of  this  report  when  preparing  the  final  report. 
The  Principal  Deputy  Assistant  Secretary  of  the  Air  Force  (Financial  Management  and 
Comptroller)  provided  comments  and  responded  for  the  Functional  Manager,  Defense  Enterprise 
Accounting  and  Management  System  Functional  Management  Office,  'file  Principal  Deputy 
Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller)  comments 
conformed  to  the  requirements  of  DoD  Directive  7650.3;  therefore,  additional  comments  are  not 
required. 

We  appreciate  the  courtesies  extended  to  the  staff.  Please  direct  questions  to  me  at 
(703)  604-8938  (DSN  664-8938). 


PUjLJl  fb . 


Richard  B.  Vasquez,  CPA 
Acting  Assistant  Inspector  General 
Financial  Management  and  Reporting 
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Results  in  Brief:  An  Unreliable  Chart  of 
Accounts  Affected  Auditability  of  Defense 
Enterprise  Accounting  and  Management 
System  Financial  Data 


What  We  Did 

The  U.S.  Air  Force’s  (USAF)  auditability  is 
dependent  on  successfully  deploying  the  Defense 
Enterprise  Accounting  and  Management  System 
(DEAMS).  The  current  DEAMS  life-cycle  cost 
estimate  is  $2.1  billion.  As  of  March  31,  2012, 
DEAMS  expenditures  totaled  approximately 
$322.2  million. 

We  determined  whether  the  DEAMS  fulfilled 
selected  functional  capabilities  needed  to  generate 
accurate  and  reliable  financial  management 
information. 

What  We  Found 

DEAMS  lacked  critical  functional  capabilities  needed 
to  generate  accurate  and  reliable  financial 
management  information.  DEAMS  managers  did  not 
maintain  an  adequate  Chart  of  Accounts  (COA).  In 
addition,  DEAMS  did  not  report  Standard  Financial 
Information  Structure  (SFIS)  financial  data  directly  to 
the  Defense  Departmental  Reporting  System  (DDRS). 
These  occurred  because: 

•  Functional  Management  Office  (FMO) 
personnel  did  not  monitor  changes  to  the  COA 
and  document  policies  and  procedures  for 
modifying  the  COA,  and 

•  DoD  and  USAF  management  initially  decided 
not  to  report  financial  data  directly  to  DDRS 
until  fourth  quarter  FY  2016. 

DEAMS  data  lacks  validity  and  reliability.  Unless 
the  unauthorized  changes  and  inconsistencies  in  the 
DEAMS  COA  are  corrected,  DoD  and  USAF 
management  cannot  rely  on  DEAMS  information  to 
make  sound  business  decisions.  Further,  DEAMS 
management  cannot  ensure  updates  to  the  DEAMS 
COA  are  performed  correctly  and  consistently.  In 


addition,  the  approved  plan  for  reporting  directly  to 
DDRS  may  challenge  the  USAF’s  ability  to  obtain 
audit  readiness  for  the  Statement  of  Budgetary 
Resources  before  the  end  of  FY  2014.  Further, 
unforeseen  delays  with  reporting  SFIS  financial  data 
directly  to  DDRS  may  impede  USAF’s  ability  to 
achieve  audit  readiness  on  the  remaining  financial 
statements  by  FY  2017. 

On  November  14,  201 1,  we  issued  a  Quick  Reaction 
Memorandum  discussing  the  unauthorized  changes  to 
the  DEAMS  COA. 

What  We  Recommend 

We  recommend  that  the  Assistant  Secretary  of  the  Air 
Force  for  Financial  Management  and  Comptroller 
perform  validations  of  the  corrective  actions  for  the 
unauthorized  changes  and  inconsistencies  in  the 
DEAMS  COA  before  further  deployment  to  ensure 
the  corrective  actions  are  operating  as  intended. 

The  Functional  Manager,  DEAMS  FMO,  should 
implement  monitoring  controls  to  identify 
inconsistencies  in  the  DEAMS  COA  data,  determine 
whether  inconsistencies  in  the  account  data  affected 
any  other  areas  of  the  system,  and  document  policies 
and  procedures  for  modifying  the  DEAMS  COA. 

Management  Comments  and 
Our  Response 

The  Principal  Deputy  Assistant  Secretary  of  the  Air 
Force  (Financial  Management  and  Comptroller), 
provided  comments  and  agreed  to  the 
recommendations  for  the  Assistant  Secretary  of  the 
Air  Force  (Financial  Management  and  Comptroller) 
and  the  Functional  Manager,  DEAMS  FMO. 
Therefore,  no  additional  comments  are  required. 
Please  see  the  recommendations  table  on  the  back  of 
this  page. 
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Introduction 


Audit  Objective 

Our  overall  objective  was  to  determine  whether  the  Defense  Enterprise  Accounting  and 
Management  System  (DEAMS)  fulfilled  selected  functional  capabilities  needed  to  generate 
timely,  accurate,  and  reliable  financial  management  information.  The  criteria  related  to  the 
functional  capabilities  we  reviewed  did  not  require  testing  of  the  timeliness  of  the  financial  data. 
Consequently,  we  did  not  determine  whether  DEAMS  provided  DoD  management  with  timely 
financial  information.  See  Appendix  A  for  the  scope  and  methodology  and  prior  audit  coverage. 
See  the  glossary  for  definitions  of  technical  terms. 

DoD  and  USAF  Audit  Readiness 

According  to  the  Office  of  the  Secretary  of  Defense,  auditable  statements  are  needed  to  facilitate 
decision-making,  to  comply  with  the  law,  and  to  reassure  the  public  that  DoD  personnel  are  good 
stewards  of  their  funds.  DoD  management  plans  to  achieve  audit  readiness  for  the  Statement  of 
Budgetary  Resources  before  the  end  of  FY  2014.  They  also  plan  to  meet  the  legal  requirement  to 
achieve  full  audit  readiness  for  all  DoD  financial  statements  by  FY  2017.  The  U.S.  Air  Force’s 
(USAF)  auditability  is  dependent  on  establishing  an  audit  ready  systems  environment  that 
includes  successfully  deploying  Enterprise  Resource  Planning  (ERP)  systems,  including 
DEAMS,  and  interfacing  them  with  other  business  and  financial  systems. 

USAF’s  audit  readiness  faces  challenges,  such  as  the  lack  of  a  transaction-based  general  ledger 
and  the  inability  to  trace  financial  transactions  from  the  business  event  to  the  financial  statements 
and  back.  The  problem  is  a  direct  result  of  a  legacy  accounting  system  based  on  1960s’ 
accounting  processes  and  procedures.  USAF  management  expects  the  deployment  of  its  target 
financial  management  systems  and  validation  of  the  systems  for  compliance  with  the  Federal 
Financial  Management  Improvement  Act  to  correct  a  weakness  with  its  financial  management 
systems. 

DEAMS  Overview 

DEAMS  is  an  ERP  initiative  between  USAF,  the  U.S.  Transportation  Command 
(USTRANSCOM),  and  the  Defense  Finance  and  Accounting  Service  (DFAS).  Its  purpose  is  to 
support  the  warfighter  with  timely,  accurate,  and  reliable  financial  infonnation  enabling  efficient 
and  effective  decision-making.  DEAMS  development  is  under  the  direction  of  the  Office  of  the 
Secretary  of  the  Air  Force  for  Financial  Management  and  Comptroller,  and  the  Office  of  the 
Secretary  of  Defense  Finance  Accounting  Operations  and  Financial  Management  Domain. 
DEAMS  will  generally  improve  financial  management  capabilities  with  Oracle  Federal 
Financials  commercial-off-the-shelf  software.  DEAMS  is  scheduled  to  replace  at  least 
10  USAF  financial  legacy  systems.  The  current  life-cycle  cost  estimate  is  $2.1  billion.  As  of 
March  31,  2012,  DEAMS  expenditures  totaled  approximately  $322.2  million. 

DEAMS’  deployment  schedule  includes  two  increments.  Deployment  of  the  first  increment 
began  in  July  2007  and  is  scheduled  to  end  in  FY  2016.  DEAMS’  second  increment  is  scheduled 
for  deployment  from  FY  2016  through  FY  2017.  At  the  time  of  our  review,  the  full  deployment 
date  for  DEAMS  was  scheduled  for  the  third  quarter  of  FY  2017.  A  portion  of  DEAMS 
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Increment  1  was  deployed  to  at  least  1,200  USAF,  USTRANSCOM,  and  DFAS  users.  When 
fully  deployed,  approximately  30,000  personnel  will  use  DEAMS.  See  Appendix  B  for  the 
current  deployment  sites  and  deployment  schedule. 

Financial  Systems  Requirements 

DoD  Components  are  required  to  follow  the  Office  of  Federal  Financial  Management  (OFFM) 
regulation,  OFFM-NO-0106,  “Core  Financial  System  Requirements,”  January  2006,  when 
developing  financial  systems.  OFFM-NO-0106  requires  financial  systems  to  have  the  ability  to 
provide  consistent,  standardized  information  for  program  managers,  financial  managers,  agency 
executives,  and  oversight  organizations.  The  regulation  also  requires  core  financial  systems  to 
provide  automated  functionality  to: 

•  capture  additions,  modifications,  and  cancellations,  including  the  date,  time,  and  user 
identification;  and 

•  generate  an  audit  trail  of  all  accounting  classification  structure  additions,  changes,  and 
deactivations,  including  effective  dates  of  changes. 

The  Federal  Information  System  Controls  Audit  Manual  (FISCAM),  February  2009,  states 
master  data  serves  as  the  basis  for  transaction  processing.  Master  data  policies  and  procedures 
require  data  owners  to  be  responsible  for  the  creation,  deletion,  and  changes  of  master  data  and 
changes  to  data  characteristics.  Further,  master  data  provides  the  basis  for  ongoing  business 
activities  and  includes  the  General  Ledger  Account  Structure  and  chart  of  accounts  (COA).  It  is 
critical  that  controls  exist  to  ensure  the  integrity  and  quality  of  the  data. 

Office  of  the  Under  Secretary  of  Defense  (Comptroller)  (OUSD[C])  Memorandum,  “DoD 
Standard  Chart  of  Accounts  in  Standard  Financial  Information  Structure  (SFIS),”  August  13, 
2007,  directs  the  use  of  a  DoD  Standard  COA  in  Component  target  general  ledger  accounting 
systems.  The  COA  aggregates  transaction  activity  into  account  balances  and  reports  those 
balances  to  departmental  reporting  and  other  accounting  systems.  The  DoD  Standard  COA  is 
comprised  of  United  States  Standard  General  Ledger  (USSGL)  accounts  and  DoD  standard 
account  extensions  to  provide  the  detail  required  for  budgetary,  financial,  and  management 
reports. 

Roles  and  Responsibilities 

The  Assistant  Secretary  of  the  Air  Force  for  Financial  Management  and  Comptroller  (SAF/FM) 
is  responsible  for  exercising  the  comptroller  and  financial  management  functions  of  the 
Air  Force,  which  include  preparing  the  Air  Force  budget;  directing  cost  and  economic  analysis 
programs;  and  overseeing  accounting  and  finance  operations,  systems,  and  reporting.  The 
DEAMS  Functional  Management  Office  (FMO),  which  is  comprised  of  personnel  from  USAF, 
USTRANSCOM,  and  DFAS,1  defines  functional  requirements.  They  also  record,  vet,  and 
formalize  the  requirements  before  delivering  them  to  the  DEAMS  Program  Management  Office 
(PMO). 


1  From  this  point  forward,  when  using  “DEAMS  FMO”  or  “FMO,”  we  are  referring  to  the  entity  comprised  of 
personnel  from  USAF,  USTRANSCOM,  and  DFAS. 
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Internal  Controls  Not  Effective  for  Maintaining  an 
Adequate  COA 

DoD  Instruction  5010.40,  “Managers’  Internal  Control  Program  (MICP)  Procedures,”  July  29, 
2010,  requires  DoD  organizations  to  implement  a  comprehensive  system  of  internal  controls 
providing  reasonable  assurance  that  programs  operate  as  intended  and  evaluate  the  effectiveness 
of  controls.  We  identified  internal  control  weaknesses  related  to  maintaining  an  adequate  COA. 
Specifically,  DEAMS  management  was  not  monitoring  updates  to  the  COA  or  documenting 
policies  and  procedures  for  modifying  the  COA.  We  will  provide  a  copy  of  the  report  to  the 
senior  official  responsible  for  internal  controls  in  the  Air  Force. 
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Finding.  DEAMS  Financial  Data  Reliability 
Challenges 

DEAMS  lacked  critical  functional  capabilities  needed  to  generate  accurate  and  reliable  financial 
management  information.  Specifically,  DEAMS  managers  did  not  maintain  an  adequate 
DEAMS  COA.  In  addition,  DEAMS  did  not  report  SFIS  financial  data  directly  to  the  Defense 
Departmental  Reporting  System  (DDRS).  These  conditions  occurred  because: 

•  FMO  personnel  did  not  monitor  updates  to  the  COA  as  recommended  by  the  FISCAM, 

•  FMO  personnel  did  not  have  documented  policies  and  procedures  for  modifying  the 
COA,  and 

•  DoD  and  USAF  management  initially  decided  not  to  report  financial  data  directly  to 
DDRS  until  fourth  quarter  of  FY  2016. 

As  a  result,  DEAMS  COA  data  lacks  validity  and  reliability.  Unless  the  unauthorized  changes 
and  inconsistencies  in  the  DEAMS  COA  are  corrected,  DoD  and  USAF  management  cannot  rely 
on  DEAMS  information  to  make  sound  business  decisions.  Further,  DEAMS  management 
cannot  ensure  updates  to  the  DEAMS  COA  are  performed  correctly  and  consistently.  In 
addition,  DEAMS’  approved  plan  for  reporting  directly  to  DDRS  may  challenge  the  USAF’s 
ability  to  obtain  audit  readiness  for  the  Statement  of  Budgetary  Resources  before  the  end  of 
FY  2014.  Further,  unforeseen  delays  with  reporting  SFIS  financial  data  directly  to  DDRS  may 
impede  USAF’s  ability  to  achieve  audit  readiness  on  the  remaining  financial  statements  by 
FY  2017  and  could  result  in  increased  cost  and  schedule  growth. 

On  November  14,  201 1,  we  issued  a  Quick  Reaction  Memorandum  (QRM)  that  discussed 
unauthorized  changes  to  the  DEAMS  COA  and  related  audit  trail  deficiencies  (see  Appendix  C 
for  the  QRM).  SAF/FM  and  DFAS  provided  responses  to  the  QRM  (see  Appendix  D  for 
SAF/FM  response  and  Appendix  E  for  the  DFAS  response). 

FMO  Personnel  Did  Not  Maintain  an  Adequate  COA 

FMO  personnel  did  not  maintain  an  adequate  COA.  Specifically,  the  DEAMS  COA  contained 
unauthorized  changes  and  inconsistencies  in  account  data.  The  FISCAM  states  that  it  is  critical 
for  controls  to  exist  over  the  integrity  and  quality  of  the  data  in  the  COA.  In  addition,  the 
COA  provides  the  basis  for  ongoing  business  activities  and  should  be  carefully  controlled.  Each 
general  ledger  account  in  the  DEAMS  COA  includes  several  data  fields,  such  as  “Creation 
Date,”  “Updated  By,”  and  “Last  Update.”  These  fields  are  important  for  maintaining  the  audit 
trail  for  DEAMS  accounts.  The  DEAMS  COA  also  includes  an  “Enabled  Flag”  data  field,  which 
indicates  whether  general  ledger  accounts  in  DEAMS  are  active  and  available  for  posting 
transactions.  However,  the  DEAMS  COA  was  inadequate  because  FMO  personnel  were  not 
monitoring  additions,  deletions,  or  changes  to  COA  data.  Further,  FMO  personnel  did  not 
document  policies  and  procedures  for  modifying  the  DEAMS  COA. 
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Unauthorized  Changes  to  Accounts  Reduced  the  Reliability  of  DEAMS 
Financial  Data 

Unauthorized  changes  to  the  “Last  Update”  and  “Enabled  Flag”  fields  occurred  in  1,101  of  4,207 
general  ledger  accounts.  After  we  brought  these  unauthorized  changes  to  FMO  personnel’s 
attention  on  September  8,  201 1,  they  investigated  and 
found  that  DEAMS  identified  AUTOINSTALF,  which 
is  a  default  user  account  in  the  Oracle  E-Business  Suite, 
as  the  last  user  to  update  approximately  25  percent  of 
DEAMS’  total  general  ledger  accounts.  According  to 
FMO  personnel,  that  many  general  ledger  accounts  should  not  have  been  updated  by  the  user 
AUTOINSTALL.  After  continuing  their  research  through  September  30,  2011,  FMO  personnel 
detennined  that  AUTOINSTALL  was  not  updating  the  accounts.  Rather,  a  data  coding  error  was 
incorrectly  changing  and  deleting  the  correct  general  ledger  account  data  and  its  audit  trail.  This 
caused  any  changes  to  these  accounts  to  be  untraceable.  Specifically,  the  coding  error  changed: 

•  “Updated  By”  user  to  “AUTOINSTALL,” 

•  “Last  Update”  date  to  “December  15,  2001,”  and 

•  “Enabled  Flag”  to  “Y.” 

Based  on  discussions  with  the  DEAMS  FMO,  DFAS  determined  the  coding  error  was  a 
DEAMS  “systematic  issue.” 

According  to  FMO  personnel,  they  received  a  patch  from  the  system  integrator  to  fix  the  coding 
error  that  was  incorrectly  changing  account  data.  FMO  personnel  stated  that  this  patch  would 
correct  the  majority  of  the  inconsistencies  in  the  DEAMS  COA.  However,  FMO  personnel 
tested  the  patch  and  determined  the  patch  was  not  operating  correctly.  Therefore, 

FMO  personnel  rejected  the  patch  and  requested  the  system  integrator  develop  another  patch  to 
resolve  the  data  integrity  problem.  On  March  16,  2012,  more  than  six  months  after  we  initially 
notified  FMO  personnel  of  the  unauthorized  changes,  FMO  personnel  received  a  patch  from  the 
system  integrator  to  correct  the  data  coding  error.  According  to  FMO  personnel,  the  patch  is 
working  as  intended. 

Inconsistencies  in  COA  Data  Affected  the  Validity  and  Reliability  of 
DEAMS  Data 

The  May,  June,  and  August  2011  DEAMS  CO  As  included  three  types  of  inconsistencies  in  the 
creation  date  and  last  update  fields.  FMO  personnel  did  not  identify  these  inconsistencies  until 
we  brought  them  to  their  attention  during  the  audit.  Specifically,  the  inconsistencies  in  the 
account  data  were: 

•  last  update  dates  occurred  before  creation  dates, 

•  the  COA  did  not  reflect  all  update  dates,  and 

•  last  update  dates  were  replaced  by  older  update  dates. 

The  first  type  of  inconsistency  involved  two  general  ledger  accounts  in  the  May,  June,  and 
August  2011  COAs  that  showed  last  update  dates  occurring  before  the  account’s  creation  date  in 


A  data  coding  error  was 
incorrectly  changing  and  deleting 
the  correct  general  ledger 
account  data  and  its  audit  trail. 
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2 

DEAMS.  An  example  is  budgetary  account  4550.900030",  which  summarizes  allotment  data. 
According  to  the  DEAMS  COA,  this  account’s  creation  date  was  in  October  2009.  However,  its 
last  update  date  listed  was  August  2009.  Therefore,  according  to  DEAMS’  COA,  account 
4550.900030  was  updated  two  months  before  it  was  created.  Because  an  account  cannot  be 
updated  before  it  is  created,  there  should  not  be  any  update  dates  occurring  before  the  creation 
date.  Table  1  shows  the  two  accounts’  creation  dates  and  last  update  dates  that  appeared  in  the 
DEAMS  COA. 


Table  1.  Accounts  With  Creation  Dates  After  the  Account’s  Last  Update  Dates 


Account 

Number 

May  2011  COA 

June  2011  COA 

August  2011  COA 

Creation 

Date 

Last 

Update 

Date 

Creation 

Date 

Last 

Update 

Date 

Creation 

Date 

Last 

Update 

Date 

4550.900030 

10/21/2009 

8/10/2009 

10/21/2009 

8/10/2009 

10/21/2009 

8/10/2009 

6000 

3/31/2010 

8/26/2009 

3/31/2010 

6/13/2011 

3/31/2010 

8/26/2009 

The  second  type  of  inconsistency  involved  two  general  ledger  accounts  in  the  August  2011  COA 
with  last  update  dates  that  were  not  identified  in  the  May  and  June  2011  COA.  An  example  is 
budgetary  account  4900.9000902 3,  which  summarizes  the  total  expended  balance.  In  the 
August  2011  COA,  this  account  showed  a  last  update  date  of  March  2011.  However,  the 
May  and  June  2011  COA  showed  a  last  update  date  of  August  2009.  If  an  update  occurred  in 
March  201 1,  as  the  August  2011  COA  showed,  then  the  May  and  June  2011  COAs  should  also 
have  reflected  the  March  2011  date.  Table  2  shows  the  two  accounts  in  the  August  2011  COA 
with  last  update  dates  that  should  have  appeared  in  May  and  June  2011  COA. 


Table  2.  Last  Update  Dates  That  Should  Have  Appeared  in  Earlier  COAs 


Account  Number 

Last  Update  Date 

May  2011  COA 

June  2011  COA 

August  2011  COA 

4610.900033 

1/13/2011 

5/21/2011 

2/14/2011 

4900.900090 

8/28/2009 

8/28/2009 

3/21/2011 

The  third  type  of  inconsistency  involved  general  ledger  accounts  in  the  August  2011  COA  with 
last  update  dates  that  preceded  the  last  update  dates  found  in  one  or  both  of  the  May  or 
June  2011  COA.  Specifically,  four  general  ledger  accounts  in  the  August  201 1  COA  had  a  last 
update  date  that  was  before  the  last  update  date  in  the  June  201 1  COA.  For  example,  budgetary 
account  46 10. 90003 3 4,  which  relates  to  allotments  and  realized  resources,  had  a  last  update  date 
of  May  21,  201 1,  in  the  June  2011  COA.  However,  in  the  August  2011  COA,  the  last  update 
date  was  February  14,  201 1,  which  predates  the  last  update  in  the  June  2011  COA  by  more  than 
three  months.  FMO  personnel  emphasized  that  last  update  dates  for  accounts  should  never 
change  to  an  older  date.  Therefore,  there  was  an  error  in  the  account  data  because  the 


2  The  title  of  DEAMS  account  4550.900030  is  “AnnAllotTargetCtl.” 

’  The  title  of  DEAMS  account  4900.900090  is  “Total  Expended  Balance.” 

4  The  title  of  DEAMS  account  4610.900033  is  “Allotments  -  Realized  Resources  -  Sub  Allotments 
ReProgramming.  ” 


6 


August  2011  COA  should  not  show  a  last  update  date  that  is  older  than  the  date  in  the  May  or 
June  2011  COA.  Table  3  shows  the  four  accounts,  along  with  their  last  update  dates  that 
appeared  in  the  May,  June,  and  August  2011  COAs. 


Table  3.  Older  Update  Dates  Replaced  Newer  Update  Dates  in  the  August  COA 


Account  Number 

Last  Update  Date 

May  2011  COA 

June  2011  COA 

August  2011  COA 

1010.011 

5/13/2011 

5/13/2011 

9/3/2009 

4550.900033 

10/21/2009 

6/14/2011 

10/21/2009 

4610.900033 

1/13/2011 

5/21/2011 

2/14/2011 

6000 

8/26/2009 

6/13/2011 

8/26/2009 

On  January  31,  2012,  DEAMS  personnel  explained  that  they  had  not  determined  the  root  causes 
for  the  remaining  inconsistencies  in  the  DEAMS  COA.  Therefore,  they  decided  to  develop 
controls  to  mitigate  the  risk  of  additional  inconsistencies,  which  included: 

•  developing  standard  operating  procedures  for  General  Accounting  Configuration, 

•  developing  internal  controls  for  code  and  Global  Combat  Support  System- Air  Force  Field 
Assistance  Service  Ticket  review,  and 

•  identifying  anyone  capable  of  applying  scripts  to  the  DEAMS  application  and  restricting 
this  ability  to  identifiable  logins  that  track  to  specific  team  members. 

According  to  the  National  Institute  of  Standards  and  Technology,  “Guide  for  Assessing  the 
Security  Controls  in  Federal  Infonnation  Systems  and  Organizations,”  June  2010,  controls 
similar  to  those  identified  in  the  bullets  above  should  have  already  been  implemented. 

Therefore,  these  actions  should  have  already  been  implemented  before  the  inconsistencies  in  the 
DEAMS  COA  were  identified. 

FMO  Personnel  Did  Not  Monitor  the  COA  Data 

FMO  personnel  were  not  monitoring  additions,  deletions,  or  changes  to  COA  data  as 
recommended  by  the  FISCAM.  Effective  controls  and  oversight  procedures  over  the  COA 

would  have  highlighted  the  unauthorized  changes  and 
inconsistencies  in  the  COA  data  to  allow  for  timely 
investigation  by  FMO  personnel.  These  undetected  changes 
demonstrate  a  lack  of  oversight  and  monitoring  of  the 
DEAMS  COA  data.  According  to  information  provided  by 
FMO  personnel,  the  unauthorized  changes  and  inconsistencies  caused  actual  audit  data  to  be  lost. 
Therefore,  unless  the  unauthorized  changes  and  inconsistencies  are  corrected,  DoD  and  USAF 
management  cannot  make  sound  business  decisions  because  of  DEAMS’  lack  of  an  adequate 
COA.  In  addition,  DEAMS  COA  data  may  not  be  valid  and  reliable. 

In  accordance  with  DoD  Instruction  5000.02,  “Operation  of  the  Defense  Acquisition  System,” 
December  8,  2008,  hardware  and  software  alterations  that  materially  change  system 
perfonnance,  including  system  upgrades  and  changes  to  correct  deficiencies,  should  undergo 


Unauthorized  changes  and 
inconsistencies  caused  actual 
audit  data  to  be  lost. 
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Operational  Test  and  Evaluation.  The  fundamental  purpose  of  test  and  evaluation  is  to  provide 
knowledge  to  assist  in  managing  the  risks  involved  in  developing,  producing,  operating,  and 
sustaining  systems  and  capabilities.  Therefore,  USAF  management  should  perform  a  validation 
of  the  corrective  actions  for  the  unauthorized  changes  and  inconsistencies  in  the  DEAMS  COA 
before  further  deployment  to  ensure  they  are  operating  as  intended.  FMO  personnel  should 
implement  procedures  to  monitor  DEAMS  COA  data.  Further,  FMO  personnel  need  to 
determine  whether  inconsistencies  in  the  account  data  affected  any  other  DEAMS  functional 
areas. 

FMO  Personnel  Did  Not  Have  Documented  Policies  and  Procedures 
for  Modifying  the  COA 

DEAMS  FMO  personnel  did  not  document  policies  and  procedures  for  modifying  the  DEAMS 
COA.  Although  FMO  personnel  could  explain  the  process  to  modify  the  COA,  they  did  not  have 
the  process  documented.  According  to  the  National  Institute  of  Standards  and  Technology,  “An 
Introduction  to  Computer  Security:  The  NIST  Handbook,”  October  1995,  documentation  of  all 
aspects  of  computer  support  and  operations  is  important  to  ensure  continuity  and  consistency. 
Formalizing  operational  practices  and  procedures  with  sufficient  detail  helps  to  eliminate 
security  lapses  and  oversights,  gives  new  personnel 
sufficiently  detailed  instructions,  and  provides  a 
quality  assurance  function  to  help  ensure  that 
operations  are  perfonned  correctly  and  efficiently. 

FMO  personnel  stated  they  had  not  documented  the 
processes  for  COA  changes  because  the  individual 
perfonning  the  changes  had  received  training.  Further, 
the  individual  performing  the  changes  knew  how  to  perform  the  updates  to  the  DEAMS  COA. 
However,  because  the  processes  were  not  documented,  continuity  and  consistency  of  operations 
would  be  affected  if  FMO  has  a  change  in  personnel  responsible  for  COA  updates.  As  a  result, 
DEAMS  management  cannot  ensure  that  operations  to  update  the  DEAMS  COA  will  be 
perfonned  correctly  and  efficiently.  FMO  personnel  should  document  policies,  procedures,  and 
controls  for  modifying  DEAMS  COA  data  to  ensure  those  operations  are  performed  correctly 
and  efficiently. 

DEAMS  Did  Not  Report  SFIS  Financial  Data  Directly  to  DDRS 

DEAMS  did  not  report  SFIS  financial  data  directly  to  DDRS5.  This  occurred  because  DoD  and 
USAF  management  initially  decided  not  to  report  the  financial  data  in  DEAMS  directly  to  DDRS 
until  the  fourth  quarter  FY  2016.  Public  Law  1 1 1-84,  “National  Defense  Authorization  Act  for 
Fiscal  Year  2010,”  October  28,  2009,  requires  DoD  to  assert  that  the  financial  statements  are 
ready  for  audit  by  no  later  than  September  30,  2017.  The  Secretary  of  Defense’s  memorandum, 
“Improving  Financial  Infonnation  and  Achieving  Audit  Readiness,”  October  13,  201 1,  directs 
DoD  management  to  achieve  audit  readiness  for  the  Statement  of  Budgetary  Resources  before 
the  end  of  2014.  OUSD(C)  Memorandum,  “Standard  Financial  Information  Structure  (SFIS) 


FMO  personnel  stated  they  had 
not  documented  the  processes  for 
COA  changes  because  the 
individual  performing  the  changes 
had  received  training. 


5  DDRS  produces  the  official  financial  statements  and  budgetary  reports  for  the  Military  Services  and 
DoD  agencies. 
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Implementation  Policy,”  August  4,  2005,  requires  systems  containing  financial  information  to 
provide  the  ability  to  capture  and  transmit  the  SFIS  data  or  demonstrate  a  cross-walking 
capability  to  the  SFIS  format. 

If  DoD  and  USAF  management  continue  with  their  approved  plan  for  reporting  directly  to 
DDRS,  USAF  may  face  challenges  in  achieving  its  audit  readiness  goal  for  the  Statement  of 
Budgetary  Resources  by  the  end  of  FY  2014. 6  In  addition,  the  plan  may  not  give  DoD  and 
USAF  management  sufficient  time  to  ensure  DEAMS  reports  SFIS  financial  data  accurately  to 
DDRS  before  the  start  of  FY  2017.  Unforeseen  delays  in  reporting  SFIS  financial  data  directly 
to  DDRS  may  impede  DoD  and  USAF  abilities  to  achieve  audit  readiness  by  FY  2017  and  could 
result  in  increased  cost  and  schedule  growth. 

In  response  to  the  Secretary  of  Defense’s  memorandum  and  our  audit,  USAF  management  is 
evaluating  alternatives  to  accelerate  development  and  implementation  of  DEAMS  to  meet  the 
FY  2010  National  Defense  Authorization  Act’s  FY  2017  auditability  mandate  and  the  Secretary 
of  Defense’s  Statement  of  Budgetary  Resources  auditability  requirement.  According  to  DEAMS 
FMO  personnel,  they  developed  a  tentative  plan  for  DEAMS  to  report  directly  to  DDRS 
beginning  in  April  2013.  However,  this  tentative  plan  has  not  been  formally  approved.  Since 
USAF  management  is  in  the  process  of  evaluating  alternatives  for  reporting  directly  to  DDRS  in 
April  2013,  we  did  not  make  any  recommendations. 

SAF/FM  Management  Actions 

We  issued  a  QRM,  dated  November  14,  2011,  that  discussed  unauthorized  changes  to  the 
DEAMS  COA  and  related  audit  trail  deficiencies  (see  Appendix  C  for  the  QRM).  SAF/FM  and 
DFAS  provided  responses  to  the  QRM  (see  Appendix  D  for  SAF/FM  response  and  Appendix  E 
for  the  DFAS  response).  According  to  the  comments,  SAF/FM  intends  to  complete  the 
following  corrective  actions  in  FY  2012: 

•  The  Oracle  E-Business  Suite  default  user  account  AUTOINSTALL  has  been  disabled. 
The  FMO  is  working  with  the  developer  on  a  new  application  interface  script  to  facilitate 
proper  loading  of  changes  to  the  COA. 

•  Change  and  Configuration  Management  processes  and  procedures  are  under  review.  The 
DEAMS  FMO  and  PMO  have  been  directed  to  make  no  changes  to  the  DEAMS  baseline 
configurations  without  approval  from  the  DEAMS  Change  Control  Board.  The  DEAMS 
Change  Control  Board  and  SAF/FM  are  implementing  industry  standard  Information 
Technology  Lifecycle  Management  processes. 

•  Controls  for  software  quality  are  under  review.  Attention  is  directed  to  controls  that 
ensure  appropriate  reviews  are  being  perfonned  for  software  code  (including  scripts), 
audit  logs,  and  system-wide  scans  to  detect  malicious  code  and  other  vulnerabilities. 

•  Evaluation  of  tools  to  perform  automated  detection  of  any  changes  to  baseline 
configuration  items  and  other  settings  is  being  conducted. 


6  USAF’s  ERPs,  including  DEAMS,  will  not  be  fully  deployed  by  2014.  As  a  result,  USAF  will  rely  on  manual 
controls  and  legacy  system  enhancements  to  meet  the  FY  2014  goal  of  audit  readiness  for  the  Statement  of 
Budgetary  Resources. 
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A  FISCAM  review  of  DEAMS  began  on  October  3 1,  201 1,  and  will  be  completed  before 
the  end  of  FY  2012. 


Conclusion 

Unauthorized  changes  and  other  COA  inconsistencies  reduced  the  reliability  of  DEAMS’  COA 
data,  eliminated  critical  audit  trails,  and  may  have  affected  other  DEAMS  functional  areas. 

FMO  personnel  did  not  monitor  additions,  deletions,  or  changes  to  the  COA  and  did  not 
document  the  procedures  needed  to  modify  the  COA.  Unless  the  unauthorized  changes  and 
inconsistencies  in  the  DEAMS  COA  are  corrected,  DoD  and  USAF  management  cannot  rely  on 
DEAMS  information  to  make  sound  business  decisions. 

DEAMS’  approved  plan  for  reporting  directly  to  DDRS  may  not  allow  USAF  to  achieve  its  audit 
readiness  goal  for  the  Statement  of  Budgetary  Resources  before  the  end  of  FY  2014.  In  addition, 
unforeseen  delays  with  reporting  SFIS  financial  data  directly  to  DDRS  may  impede  DoD  and 
USAF  abilities  to  achieve  audit  readiness  by  FY  2017,  and  could  result  in  increased  cost  and 
schedule  growth. 

Recommendations,  Management  Comments,  and 
Our  Response 

1.  We  recommend  that  the  Assistant  Secretary  of  the  Air  Force  for  Financial  Management 
and  Comptroller  perform  validation  of  the  corrective  actions  for  the  unauthorized  changes 
and  inconsistencies  in  the  Defense  Enterprise  Accounting  and  Management  System  chart  of 
accounts  before  further  deployment  to  ensure  the  corrective  actions  are  operating  as 
intended. 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and 
Comptroller)  Comments 

The  Principal  Deputy  Assistant  Secretary  of  the  Air  Force  (Financial  Management  and 
Comptroller),  responded  on  behalf  of  the  Assistant  Secretary  of  the  Air  Force  (Financial 
Management  and  Comptroller).  She  agreed  and  stated  they  had  completed  the  following 
corrective  actions: 

•  Disabled  the  Oracle  E-Business  Suite  default  user  account,  “AUTOINSTALL;” 

•  Directed  the  DEAMS  PMO  and  FMO  to  make  no  changes  to  the  DEAMS  baseline 
without  approval  from  the  DEAMS  Executive  Change  Control  Board; 

•  Developed  and  implemented  an  interim  manual  control  review  process  for  the  COA;  and 

•  Developed  long-term  strategy  to  perfonn  automated  detection  of  any  changes  to  baseline 
configuration  items  using  the  Oracle  Governance  Risk  and  Compliance  module,  which 
will  be  implemented  in  the  DEAMS  environment  for  Release  2. 

She  also  stated  they  have  initiated  a  FISCAM  review  with  an  estimated  completion  date  of 
September  2012. 
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Our  Response 

Comments  from  the  Principal  Deputy  Assistant  Secretary  of  the  Air  Force  (Financial 
Management  and  Comptroller)  were  responsive,  and  no  additional  comments  are  required. 

2.  We  recommend  that  the  Functional  Manager,  Defense  Enterprise  Accounting  and 
Management  System  Functional  Management  Office: 

a.  Implement  monitoring  procedures  to  identify  inconsistencies  in  the  Defense 
Enterprise  Accounting  and  Management  System  chart  of  accounts  data. 

Defense  Enterprise  Accounting  and  Management  System  Functional 
Management  Office  Comments 

The  Principal  Deputy  Assistant  Secretary  of  the  Air  Force  (Financial  Management  and 
Comptroller),  responded  on  behalf  of  the  Functional  Manager,  DEAMS  FMO.  She  agreed  and 
stated  DEAMS  FMO  had  implemented  additional  manual  internal  controls  to  identify 
inconsistencies  in  the  COA  data.  She  also  stated  SAF/FM  directed  all  changes  to  the  DEAMS 
COA  be  documented  and  approved  prior  to  configuration  changes.  She  added  DEAMS  FMO 
started  reviewing  audit  logs  and  providing  them  to  SAF/FMP  for  oversight  on  a  recurring  basis. 
Further,  she  stated  the  Governance  Risk  and  Compliance  tools  will  subsume  the  manual  controls 
with  systemic  controls  and  will  require  systemically  routed  approvals  for  all  changes  to  the 
DEAMS  COA.  The  Governance  Risk  and  Compliance  tools  will  be  implemented  by 
February  2013. 

b.  Determine  whether  the  inconsistencies  in  the  account  data  affected  any  other 
Defense  Enterprise  Accounting  and  Management  System  functional  areas. 

Defense  Enterprise  Accounting  and  Management  System  Functional 
Management  Office  Comments 

The  Principal  Deputy  Assistant  Secretary  of  the  Air  Force  (Financial  Management  and 
Comptroller),  responded  on  behalf  of  the  Functional  Manager,  DEAMS  FMO.  She  agreed  and 
stated,  based  on  a  DEAMS  FMO  assessment  of  the  DEAMS  COA,  none  of  the  unauthorized 
changes  made  to  the  COA  impacted  the  financial  records  or  account  balances. 

c.  Document  policies  and  procedures  for  modifying  the  Defense  Enterprise 
Accounting  and  Management  System  chart  of  accounts. 

Defense  Enterprise  Accounting  and  Management  System  Functional 
Management  Office  Comments 

The  Principal  Deputy  Assistant  Secretary  of  the  Air  Force  (Financial  Management  and 
Comptroller),  responded  on  behalf  of  the  Functional  Manager,  DEAMS  FMO.  She  agreed  and 
stated  DEAMS  FMO  and  PMO  updated  the  configuration  and  maintenance  of  DEAMS  in  the 
DEAMS  Sustainment  Plan.  She  also  stated  the  DEAMS  FMO  and  DFAS  will  publish  an 
internal  standard  operating  procedure  to  address  continuity  and  consistency  of  operations, 
including  policies  and  procedures  for  modifying  the  DEAMS  COA.  The  estimated  completion 
date  is  September  2012. 
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Our  Response 

Comments  from  the  Principal  Deputy  Assistant  Secretary  of  the  Air  Force  (Financial 
Management  and  Comptroller)  on  Recommendations  2. a,  2.b,  and  2.c  were  responsive,  and  no 
additional  comments  are  required. 
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Appendix  A.  Scope  and  Methodology 

We  conducted  this  performance  audit  from  January  2011  through  July  2012  in  accordance  with 
generally  accepted  government  auditing  standards.  Those  standards  require  that  we  plan  and 
perform  the  audit  to  obtain  sufficient,  appropriate  evidence  to  provide  a  reasonable  basis  for  our 
findings  and  conclusions  based  on  our  audit  objectives.  We  believe  that  the  evidence  obtained 
provides  a  reasonable  basis  for  our  findings  and  conclusions  based  on  our  audit  objectives. 

We  reviewed  COA  information,  criteria  related  to  SFIS,  and  DEAMS  transaction  data. 
Specifically,  for  the  COA,  we  examined  the  FY  2011  Reporting  USSGL  COA;  FY  2011  DoD 
Standard  COA  updated  in  August  2010  and  April  2011;  and  DEAMS  COAs  updated  in 
March  2011,  May  2011,  June  2011,  and  August  2011.  During  our  SFIS  review,  we  examined 
the  SFIS  Business  Rules  (Version  7.0  and  8.0).  We  also  examined  the  posted  DEAMS 
transaction  data  from  the  first  quarter  of  FY  2011. 

We  conducted  site  visits  to  the  DEAMS  FMO;  DEAMS  PMO;  and  DFAS  offices  in  Limestone, 
Maine,  and  Columbus,  Ohio.  In  the  National  Capital  Region,  we  visited  the  OUSD(C),  Office  of 
the  Deputy  Chief  Management  Officer,  and  SAF/FM. 

To  determine  whether  DEAMS  provided  DoD  management  with  accurate  and  reliable  financial 
management  information,  we  compared  the  DEAMS  COA  to  the  USSGL  COA  and  the  DoD 
Standard  COA  to  identify  any  differences  between  the  account  titles  and  nonnal  balance 
indicators  for  accounts  in  the  DEAMS  COA,  and  the  corresponding  accounts  in  the  USSGL 
COA  and  DoD  Standard  COA.  Additionally,  we  obtained  the  USAF  and  USTRANSCOM  trial 
balances  from  DDRS  for  September  2010  and  March  2011.  We  reviewed  the  USAF’s  and 
USTRANSCOM’s  trial  balances  for  accounts  not  included  in  the  DEAMS  COA.  Once  we 
identified  the  accounts  in  the  USAF’s  and  USTRANSCOM’s  trial  balances  that  were  not  in  the 
DEAMS  COA,  we  reviewed  the  FY  2011  DoD  Standard  COA  to  identify  if  those  specific 
accounts  were  reported  in  the  DoD  Standard  COA. 

While  comparing  the  May  2011,  June  2011,  and  August  2011  DEAMS  COA  to  each  other,  we 
identified  inconsistencies  with  the  account  data.  Based  on  the  inconsistencies  identified,  we 
perfonned  additional  comparisons  between  the  three  versions  of  the  DEAMS  COA.  We  met 
with  DEAMS  FMO  personnel  to  discuss  the  potential  inconsistencies  with  the  accounts’  dates. 
We  observed  the  accounts  within  DEAMS  and  discussed  them  with  FMO  personnel.  Based  on 
the  inconsistencies,  we  could  not  rely  on  the  data  from  DEAMS  to  report  on  the  results  of  our 
testing.  Specifically,  we  were  unable  to  rely  on  the  testing  related  to: 

•  comparing  the  DEAMS  COA  to  the  USSGL  and  DoD  Standard  COA,  and 

•  identifying  accounts  in  the  USAF  and  USTRANSCOM  trial  balances  not  in  the  DEAMS 
COA. 

In  our  review  of  SFIS,  we  conducted  meetings  with  FMO  and  Business  Transformation  Agency 
personnel  to  determine  whether  DEAMS  included  all  applicable  SFIS  business  rules  and  whether 
DEAMS  complied  with  these  business  rules.  We  conducted  meetings  with  FMO  personnel  and 
obtained  screenshots  to  detennine  whether  DEAMS  implemented  mandatory  SFIS  data  elements 
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required  by  the  SFIS  Transaction  Library  for  items  in  the  posted  DEAMS  transaction  data  from 
the  first  quarter  of  FY  2011.  We  also  compared  the  SFIS  Oracle  Standard  Configuration  Guide 
to  the  SFIS  business  rules  and  identified  any  differences  or  contradictions.  Finally,  we  reviewed 
the  SFIS  business  rules  to  identify  if  any  of  the  rules  were  vague,  made  general  statements  rather 
than  recommending  specific  approaches,  or  required  the  use  of  criteria  that  had  not  been 
established.  Based  on  the  inconsistencies  found  during  the  COA  review,  we  were  unable  to  rely 
on  the  testing  to  determine  whether  DEAMS  implemented  all  mandatory  SFIS  data  elements. 

Use  of  Computer-Processed  Data 

We  used  DEAMS  COA  and  transaction  posted  data  from  the  first  quarter  of  FY  2011.  While 
reviewing  the  DEAMS  COA  to  determine  whether  it  complied  with  DoD  requirements,  we 
identified  inconsistencies  in  account  data.  As  a  result,  the  computer-processed  data  were  not 
sufficiently  reliable  to  support  the  findings  and  conclusions  for  testing  USSGL  and  SFIS 
compliance.  We  discuss  the  data  reliability  issues  in  the  finding. 

Prior  Coverage 

During  the  last  5  years,  the  Govermnent  Accountability  Office  (GAO),  the  Department  of 
Defense  Inspector  General  (DoD  IG)  and  the  Air  Force  Audit  Agency  (AFAA)  issued  six  reports 
related  to  DoD  Business  Transformation  and  DEAMS.  Unrestricted  GAO  reports  can  be 
accessed  over  the  Internet  at  http://www.gao.gov.  Unrestricted  DoD  IG  reports  can  be  accessed 
at  http://www.dodig.mil/audit/reports.  AFAA  reports  can  be  accessed  from  .mil  domains  over 
the  Internet  at  https://aflan.wpafb.af.mil/communitv/views/home.aspx7FilteFOO-AD-01-41  by 
those  with  Common  Access  Cards. 

GAO 

GAO  Report  No.  GAO-1 1-53,  “DoD  Business  Transformation:  Improved  Management 
Oversight  of  Business  System  Modernization  Efforts  Needed,”  October  2010 

GAO  Report  No.  GAO-08-866,  “DoD  Business  Transformation:  Air  Force's  Current  Approach 
Increases  Risk  That  Asset  Visibility  Goals  and  Transformation  Priorities  Will  Not  Be  Achieved,” 
August  2008 

GAO  Report  No.  GAO-08-462T,  “Defense  Business  Transformation:  Sustaining  Progress 
Requires  Continuity  of  Leadership  and  an  Integrated  Approach,”  February  2008 

DoD  IG 

DoD  IG  Report  No.  D-201 1-015,  “Insufficient  Governance  Over  Logistics  Modernization 
Program  System  Development,”  November  2010 

Air  Force 

AFAA  Report  No.  F2010-0010-FB2000,  “Defense  Enterprise  Accounting  and  Management 
System  Accounting  Conformance,”  August  2010 

AFAA  Report  No.  F2009-0004-FB2000,  “Defense  Enterprise  Accounting  and  Management 
System  Controls,”  February  2009 
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Appendix  B.  DEAMS  Deployment  Schedule 


DEAMS  Release 

Title 

Deployment  Site 

Projected  Release 
Date 

Scott  Air  Force  Base 
Tech  Demonstration 

Scott  Air  Force  Base 

3  rd  Quarter, 

FY  2012 

Increment  1 ,  Release  1 

Scott  Air  Force  Base  and  Air  Mobility 
Command  Sites  without  Transportation 
Working  Capital  Fund 

3  rd  Quarter, 

FY  2013 

Increment  1 ,  Release  2 

Air  Mobility  Command  Sites  with 
Transportation  Working  Capital  Fund 
and  MacDill 

1 st  Quarter, 

FY  2014 

Increment  1 ,  Release  3 

Major  Upgrade  to  Oracle  R12 

2nd  Quarter, 

FY  2014 

Increment  1 ,  Release  4 

USTRANSCOM  and  Surface 
Deployment  and  Distribution 
Command 

4th  Quarter, 

FY  2014 

Increment  1 ,  Release  5 

Air  Force  Sites  in  the  Continental 
United  States 

2nd  Quarter, 

FY  2016 

Increment  1 ,  Release  6 

Pacific  Air  Forces  and  U.S.  Air  Forces 
in  Europe 

4th  Quarter, 

FY  2016 

Increment  2,  Release  1 

Air  Force  Materiel  Command  and  Air 
Force  Space  Command 

1st  Quarter, 

FY  2017 

Increment  2,  Release  2 

Foreign  Military  Sales  and 
Contingency  Operations 

3  rd  Quarter, 

FY  2017 

Source:  DEAMS  Business  Case,  January  5,  2012. 
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Appendix  C.  Quick  Reaction  Memorandum 


INSPECTOR  GENERAL 
DEPARTMENT  OF  DEFENSE 
4800  MARK  CENTER  DRIVE 
ALEXANDRIA.  VIRGINIA  22350-1500 


November  14, 201 1 

MEMORANDUM  FOR  UNDER  SECRETARY  OF  DEFENSE  (COMPTROLLER)/CHIEF 
FINANCIAL  OFFICER 
DEPUTY  CHIEF  MANAGEMENT  OFFICER 
COMMANDER,  U.S.  TRANSPORTATION  COMMAND 
ASSISTANT  SECRETARY  OF  TIIE  AIR  FORCE  (FINANCIAL 
MANAGEMENT  AND  COMPTROLLER) 

DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 

SUBJECT:  Audit  of  the  Defense  Enterprise  Accounting  and  Management  System 
(Project  No.  D201 1-D000FH-0097.000) 

During  the  subject  audit,  we  identified  unauthorized1  changes  to  the  DEAMS  Chart  of  Accounts 
(COA),  which  resulted  in  changes  to  financial  accounts  that  directly  impact  financial  reporting. 
DEAMS  Functional  Management  Office  (FMO)  personnel  could  not  explain  the  nature  or  cause 
of  the  changes,  nor  did  they  know  whether  similar  changes  occurred  throughout  DEAMS. 

FMO  personnel  investigated  the  changes  and  identified  additional  data  changes  within  the 
DEAMS  COA.  Because  of  the  unauthorized  changes  and  the  inadequate  audit  trail,  there  is 
no  assurance  that  transactions  posted  to  the  correct  general  ledger  accounts,  thereby  reducing  the 
reliability  and  accuracy  of  reported  financial  information. 

Our  audit  objective  was  to  determine  whether  DEAMS  fulfilled  selected  functional  capabilities 
needed  to  generate  timely,  accurate,  and  reliable  financial  management  information.  This  memo 
only  discusses  unauthorized  changes  to  the  COA  and  related  audit  trail  deficiencies.  It  also 
focuses  on  the  reliability  of  financial  data  related  to  data  values  unexpectedly  changing  within 
DEAMS. 

Audit  Trail  Requirements 

DoD  Components  are  required  to  follow  the  Office  of  Federal  Financial  Management  (OFFM) 
regulation,  OFFM-NO-0106,  “Core  Financial  System  Requirements,”  January  2006,  when 
developing  financial  systems.  OFFM-NO-0106  requires  financial  systems  to  have  the  ability  to 
provide  consistent,  standardized  information  for  program  managers,  financial  managers,  agency 
executives,  and  oversight  organizations.  It  also  requires  core  financial  systems  to  provide 
automated  functionality  to: 


1  "Unauthorized"  refers  to  the  system  changing  data  files  without  FMO’s  approval  rather  than  individuals  gaining 
unauthorized  access  to  the  system. 
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•  capture  additions,  modifications,  and  cancellations,  including  the  date,  time,  and  user 
identification;  and 

•  generate  an  audit  trail  of  all  accounting  classification  structure  additions,  changes,  and 
deactivations,  including  effective  dates  of  changes. 

According  to  DoD  Financial  Management  Regulation,  volume  1,  chapter  7,  “United  States 
Standard  General  Ledger,”  the  COA  identifies  and  defines  budgetary,  proprietary,  and 
memorandum  accounts  that  agencies  should  use  in  federal  accounting  systems. 

OUSD(C)  Memorandum,  “DoD  Standard  Chart  of  Accounts  in  Standard  Financial  Information 
Structure  (SF1S),”  August  13,  2007,  requires  the  use  of  a  DoD  Standard  COA  in  target2  general 
ledger  accounting  systems  to  aggregate  transaction  activity  and  perform  departmental  reporting. 

Unauthorized  Changes  Within  the  DEAMS  Chart  of  Accounts 

We  identified  unauthorized  changes  to  the  status  indicator  and  last  update  dates  in  the 
DEAMS  COA.  According  to  FMO  personnel,  a  status  indicator  identifies  whether  accounts  are 
enabled  (active)  or  disabled  (inactive).  Because  DEAMS  does  not  allow  users  to  delete  accounts 
that  are  no  longer  needed  for  reporting,  it  relics  on  the  status  indicator  to  track  general  ledger 
accounts  available  for  posting.  Between  May  and  June  2011,  FMO  personnel  increased  the 
number  of  accounts  that  were  disabled  in  the  COA.  Flowever,  in  the  August  2011  COA,  most  of 
the  previously  disabled  general  ledger  accounts  were  enabled. 

Additionally,  the  August  COA  showed  changes  in  the  update  date  field.  Specifically,  the 
August  COA  showed  that  some  general  ledger  account’s  last  update  dates  preceded  and  others 
succeeded  the  last  update  dates  in  the  May  and  June  versions  of  the  COA.  Additionally, 
accounts  in  the  May,  June,  and  August  201 1  versions  of  the  COA  had  update  dates  that  preceded 
the  creation  dates  of  the  account.  When  we  brought  these  changes  to  their  attention, 

FMO  personnel  stated  that  they  were  not  aware  of  the  data  changes  and  could  not  provide 
a  justification  for  them.  Further,  they  speculated  that  the  changes  could  be  the  result  of  a 
program  running  in  the  background  that  may  be  randomly  updating  system  data.  However, 

FMO  personnel  stated  that  they  have  not  been  able  to  identify  what  caused  these  changes. 

During  September  2011,  DEAMS  FMO  personnel  investigated  and  found  that  DEAMS 
identified  AUTOINSTALL3  as  the  last  user  to  update  approximately  25  percent  of  the  accounts. 
FMO  personnel  stated  that  the  AUTOINSTALL  user  should  not  have  updated  so  many  accounts. 
On  September  15, 2011,  FMO  personnel  submitted  a  Remedy  (Help  Desk)  ticket  for  immediate 
investigation  and  resolution  of  the  AUTOINSTALL  issue.  FMO  personnel  attributed  the 
changes  to  an  error  in  DEAMS’  coding  that  changed  the  user  name  to  AUTOINSTALL. 

In  addition,  the  error  in  coding  changed  the  last  update  date  to  the  programmed  default  date. 

It  is  critical  that  controls  exist  over  the  integrity  and  quality  of  the  data  in  the  COA  because  all 
financial  transactions  must  post  to  the  correct  general  ledger  account.  Therefore,  FMO  personnel 
should  carefully  control  changes  in  the  DEAMS  COA  and  supporting  data.  Documenting  the 


2  The  target  accounting  systems  are  Federal  Financial  Management  Improvement  Act  (FFM1A)  compliant, 
configured  to  post  transactions  to  an  internal  USSGL  compliant  general  ledger  and  do  not  have  a  “sunset”  plan 
and  date. 

3  AUTOINSTAI.E  is  one  of  the  “seeded”  (default)  user  accounts  in  Oracle  E-Business  Suite. 
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changes  made  to  effective  dates  is  an  important  part  of  a  core  financial  system’s  audit  trail. 
Undocumented  changes  to  DEAMS  data  impede  its  ability  to  provide  adequate  audit  trails. 
Without  adequate  audit  trails,  and  because  DEAMS  data  is  used  for  financial  reporting, 

DoD  management  cannot  rely  on  DEAMS  financial  data  to  make  informed  decisions.  Further, 
these  weaknesses  potentially  prevent  the  U.S.  Air  Force  from  achieving  its  goal  of  auditability 
by  FY  2017. 

Further  Actions  Needed  to  Address  Data  Reliability 

Based  on  the  results  of  our  audit  to  date,  you  may  want  to  further  assess  the  extent  of  these 
inconsistencies  to  have  a  better  understanding  of  the  full  impact  they  may  have  on  the  system 
and  determine  what  correct  actions,  if  any,  are  needed  to  address  these  inconsistencies. 


We  performed  this  audit  in  accordance  with  generally  accepted  government  auditing  standards 
and  are  now  providing  these  interim  results  so  management  will  take  appropriate  corrective 
actions.  We  will  include  the  above  concerns  and  any  corrective  actions  taken  as  a  result  of  this 
memo  in  our  draft  report.  Therefore,  we  request  that  you  apprise  us  of  all  corrective  actions  you 
take  or  have  taken  to  address  these  weaknesses  by  December  14,  2011,  If  you  have  questions 
regarding  please  contact 


Patricia  A.  Marsh,  CPA 
Assistant  Inspector  General 
Financial  Management  and  Reporting 
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Appendix  D.  U.S.  Air  Force  Memorandum 
Comments 


DEPARTMENT  OF  THE  AIR  FORCE 

WASHINGTON,  DC 


OFFICE  OF  THE  UNDER  SECRETARY 

MEMORANDUM  FOR  DODIG 

SUBJECT:  Audit  of  the  Defense  Enterprise  Accounting  and  Management  System  (Project 

No.  D201 1-D000FH-0097.000) 

This  responds  to  Quick  Reaction  Memorandum  (QRM)  dated  14  Nov  1 1  on  the  above 
referenced  subject.  DODIG  requested  to  be  apprised  of  all  corrective  actions  completed  or 
planned  to  address  the  weakness  identified  in  the  QRM  by  14  Dec  11.  Also  suggested  was  an 
assessment  to  be  performed  of  those  changes  to  the  DEAMS  Chart  of  Accounts  (COA).  First, 
I  will  address  the  assessment,  and  second  the  corrective  actions. 

A  careful  assessment  of  the  DEAMS  system  Chart  of  Accounts  (COA)  was  performed  by 
the  DEAMS  Functional  Management  Office  (FMO).  None  of  the  unauthorized  changes  made 
to  the  COA  was  found  to  have  an  impact  on  the  financial  records.  Account  balances  were  not 
affected.  The  changes  were  determined  to  be  made  only  in  the  “status  indicator  and  “updated 
date”  fields  of  the  affected  accounts. 

The  primary  root  cause  of  these  unauthorized  changes  is  traced  to  an  application  interface 
script  used  to  automatically  execute  downward-directed  changes  to  the  COA  configurable 
values.  When  manually  executed,  the  application  interface  script,  in  addition  to  making  the 
desired  changes  to  the  COA,  also  re-set  the  “status  indicator”  and  “date  updated”  fields  to 
default  settings  established  when  the  DEAMS  COA  was  initially  loaded  and  brought  into 
production.  Several  weaknesses  have  been  identified  with  the  development  and  continued 
execution  of  the  script. 

SAF/FMP  is  taking  action  to  address  the  control  weaknesses.  Corrective  actions  to 
automatically  capture  all  value  changes  (additions,  modifications,  and  cancellations,  including 
the  date,  time  and  user  identification)  and  generate  an  audit  trail  of  those  changes  in 
accordance  with  OFFM-NO-0106  will  be  incorporated.  The  following  corrective  actions 
have  or  will  be  completed  in  FY  2012: 

a)  The  Oracle  E-Business  Suite  default  user  account  AUTOINSTALL  has  been  disabled. 
The  FMO  is  working  with  the  developer  on  a  new  application  interface  script  to 
facilitate  proper  loading  of  changes  to  the  COA. 

b)  Change  and  Configuration  Management  processes  and  procedures  are  under  review. 
The  DEAMS  FMO  and  Program  Management  Office  (PMO)  have  been  directed  to 
make  no  changes  to  the  DEAMS  baseline  configurations  without  approval  from  the 
DEAMS  Change  Control  Board.  The  DEAMS  CCB  and  SAF/FMP  are  implementing 
industry  standard  Information  Technology  Lifecycle  Management  processes. 
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c)  Controls  for  software  quality  are  under  review.  Attention  is  directed  to  controls  which 
ensure  appropriate  reviews  arc  being  performed  for  software  code  (including  scripts), 
audit  logs,  and  system-wide  scans  to  detect  malicious  code  and  other  vulnerabilities. 

d)  Evaluation  of  tools  to  perfonn  automated  detection  of  any  changes  to  baseline 
configuration  items  and  other  settings  is  being  conducted. 

e)  A  FISCAM  review  of  DEAMS  began  on  31  October  201 1  and  will  be  completed  by 
the  end  of  FY  2012. 

We  are  committed  to  implementing  rigorous  system  and  procedural  controls  to  ensure 
DEAMS  complies  with  DoD  and  AF  information  assurance  policies  and  statutory  audit 
requirements.  Please  contact  me  directly  if  you  require  further 

information. 


MICHAEL  V.  SORRENTO,  SES 
Chief  Information  Officer 
Assistant  Secretary  of  the  Air  Force 
Financial  Management  and  Comptroller 
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Appendix  E.  Defense  Finance  and  Accounting 
Service  Memorandum  Comments 


DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 

8899  EAST  56TH  STREET 
INDIANAPOLIS.  INDIANA  46249 

DEC  6  2011 

DFAS-JJ/IN 

MEMORANDUM  FOR  THE  DEPARTMENT  OF  DEFENSE  INSPECTOR  GENERAL 

SUBJECT:  Audit  of  the  Defense  Enterprise  Accounting  and  Management  System 
(DEAMS)  (Project  No.  D2011-D000FH-0097.000) 

Based  on  your  memo  dated  November  14,  201 1  (same  subject),  an  assessment  of  the 
DEAMS  system  Chart  of  Accounts  (COA)  was  completed.  The  Secretary  of  the  Air  Force  for 
Financial  Management  (SAF/FM)  determined  that  there  was  no  impact  on  the  financial  records. 
Account  balances  were  not  affected.  However,  unauthorized  changes  were  made  in  the  “status 
indicator”  field  and  in  the  “updated  date”  field  for  many  accounts.  The  root  cause  was  traced  to 
an  application  interface  script  which  was  used  to  automatically  execute  downward-directed 
changes  to  the  COA  configurable  values.  The  application  interface  script,  in  addition  to  making 
the  desired  changes  to  the  COA,  was  also  re-setting  "status  indicator”  and  “date  updated"  fields 
to  the  default  settings  established  when  the  DEAMS  COA  was  initially  loaded  and  brought  into 
production. 

In  discussions  with  the  DEAMS  Financial  Management  Office  (FMO),  the  Defense 
Finance  and  Accounting  Service  (DFAS)  has  assessed  that  this  is  a  DEAMS  systematic  issue. 

We  have  assessed  that  no  DFAS  operational  corrective  actions  are  required.  In  collaboration 
with  the  DEAMS  FMO.  DFAS  agrees  and  concurs  that  the  DEAMS  FMO  will  be  performing  the 
following  corrective  actions  to  automatically  capture  all  value  changes  (additions,  modifications, 
and  cancellations,  including  the  date,  time  and  user  identification)  and  generate  an  audit  trail  of 
those  changes  in  accordance  with  Office  of  Federal  Financial  Management  Number  106  (OFFM- 
NO-106).  All  corrective  actions  will  be  completed  in  2012. 

a.  Disabled  the  Oracle  E-Business  Suite  default  user  account  AUTOINSTALL. 
The  FMO  is  working  with  the  developer  on  a  new  application  interface  script  to 
facilitate  loading  of  changes  to  the  COA. 

b.  Reviewed  the  applicable  Federal  Information  System  Controls  Audit  Manual 
(FISCAM)  controls  associated  with  this  issue,  and  are  developing  more  stringent 
management  of  those  controls,  to  include  commercial-best-practice  Information 
Technology  Lifecycle  Management  tasks  such  as  system  integrator  code  quality 
control  reviews;  script  and  audit  log  reviews;  and  system-wide  scans  to  ensure 
malicious  code  is  not  causing  problems. 


www.dfas.mil 

Your  Financial  Partner  @  Work 


21 


c.  Analyzed  the  software  automation  products  which  will  issue  alerts  of  any 
changes  made  to  the  COA.  as  well  as  the  individuals  who  made  the  changes,  and 
when  the  changes  were  made. 

d.  Began  a  complete  FISCAM  review  of  DEAMS  on  October  3 1 . 201 1 .  which 
will  help  to  identify  gaps  and  validate  our  internal  controls  and  lead  to  a 
Statement  of  Budgetary  Resources  (SBR)  audit  assertion  for  DEAMS  by  the  end 
of  FY  20 1 2.  Developed  a  Chief  Financial  Officer  (CFO)  systems  compliance 
process  which  will  be  used  for  DEAMS  and  all  our  other  financial  systems  and 
feeder  systems.  This  process  will  allow  us  to  assess  the  adequacy  of  implemented 
controls  as  we  work  toward  a  Statement  of  Budgetary'  Resources  (SBR)  assertion 
for  the  Air  Force  by  20 1 4. 

Wc  are  committed  to  implementing  rigorous  system  and  procedural  controls  to  ensure 
DEAMS  complies  with  statutory  audit  requirements.  If  you  require  further  information,  please 
contact  the  I  iFAS’s  DEAMS  Project  Manager.^  directly  all 


Audrey  L.  Eckhart 

Director.  Enterprise  Solutions  and  Standards 
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Glossary 


Enterprise  Resource  Planning  System  -  an  automated  system  using  commercial  off-the-shelf 
software  consisting  of  multiple  integrated  functional  modules  that  perform  a  variety  of  business 
related  tasks  such  as  general  ledger  accounting,  payroll,  and  supply  chain  management. 

Increments  -  useful  and  supportable  operational  capabilities  that  can  be  developed,  produced, 
deployed,  and  sustained. 

Mixed  System  -  information  system  that  supports  both  financial  and  non-financial  functions  of 
the  Federal  Government  or  components. 

Operational  Test  and  Evaluation  -  used  to  determine  the  effectiveness  and  suitability  of  a 
system  under  realistic  operational  conditions,  including  joint  combat  operations;  used  to 
determine  if  thresholds  in  the  approved  Capability  Production  Document  and  critical  operational 
issues  have  been  satisfied;  assess  impacts  to  combat  operations;  and  provide  additional 
information  on  the  system’s  operational  capabilities. 

Patches  -  additional  pieces  of  code  developed  to  address  specific  problems  or  flaws  in  existing 
software. 

Risk  -  level  of  impact  on  entity  operations  (including  mission,  functions,  image,  or  reputation), 
entity  assets,  or  individuals  resulting  from  the  operation  of  an  information  system  given  the 
potential  impact  of  a  threat  and  the  likelihood  of  that  threat  occurring. 

Statement  of  Budgetary  Resources  -  provides,  along  with  related  disclosures,  information 
about  how  budgetary  resources  were  made  available  and  their  status  at  the  end  of  the  period.  It 
is  the  only  financial  statement  predominantly  derived  from  an  entity’s  budgetary  general  ledger 
in  accordance  with  budgetary  accounting  rules,  which  are  incorporated  into  Generally  Accepted 
Accounting  Principles  for  the  Federal  Government. 

Target  Accounting  System  -  a  Federal  Financial  Management  Improvement  Act  compliant 
system  that  is  configured  to  post  transactions  to  an  internal  USSGL  compliant  general  ledger. 

Vulnerabilities  -  flaws  that  can  be  exploited,  enabling  unauthorized  access  to  Information 
Technology  systems  or  enabling  users  to  have  access  to  greater  privileges  than  authorized. 
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U.S.  Air  Force  Comments 


DEPARTMENT  OF  THE  AIR  FORCE 

WASHINGTON,  DC 


OFFICE  OF  THE  ASSISTANTSECRETARY 


1  3  AUG  2012 


MEMORANDUM  FOR  DOD/IG 

FROM:  SAF/FM 

1 130  Air  Force  Pentagon 
Washington,  DC  20330-1 130 

SUBJECT:  DoD  IG  Draft  Report  of  Audit,  An  Unreliable  Chart  of  Account  Affected 
Auditability  of  Defense  Enterprise  Accounting  and  Management  System  Financial  Data  (Project 
No.  D201 1-D000FH-0097.000) 

We  concur  with  the  Audit  Results  and  recommendations  of  the  Subject  DoD  IG  Audit. 
SAF/FMP  did  initiate  corrective  actions  immediately  after  receiving  the  Inspector  General  Quick 
Reaction  Memorandum  dated  14  Nov  2011.  Specific  management  comments  are  attached. 

If  you  have  any  questions  or  concerns  with  our  comments,  please  contact 


MARILYN  M.  THOMAS 
Principal  Deputy  Assistant  Secretary 
(Financial  Management  &  Comptroller) 
Performing  the  duties  of  SAF/FM 


Attachment: 

Management  Comments 
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Draft  Management  Comments  fox  Report  of  Audit,  An  Unreliable  Chart  of  Account  Affected 
Auditability  of  Defense  Enterprise  Accounting  and  Management  System  Financial  Data  (Project 
No.  D201  l-DOOOFH-0097.000) 

Recommendations. 

(1)  Recommendation  1.  The  Assistant  Secretary  of  the  Air  Force  for  Financial  Management  and 
Comptroller  perform  validation  of  the  corrective  actions  for  the  unauthorized  changes  and 
inconsistencies  in  the  Defense  Enterprise  Accounting  and  Management  System  chart  of  accounts 
before  further  deployment  to  ensure  the  corrective  actions  are  operating  as  intended. 

Concur.  SAF/FMP  initiated  corrective  actions  after  receiving  the  Inspector  General  Quick 
Reaction  Memorandum  dated  14  Nov  2011: 

a.  Disabled  the  Oracle  E-Business  Suite  default  user  account  'Automstall  "  (Completed  Sep  11) 

b.  Directed  the  DEAMS  FMO  and  PMO  to  make  no  changes  to  the  DEAMS  baseline  without 
approval  from  the  DEAMS  Executive  Change  Control  Board.  (Completed  Nov  1 1) 

c.  Developed  and  implemented  an  interim  manual  control  review  process  for  the  COA. 
(Completed  May  12) 

d.  Developed  long-term  strategy  to  perform  automated  detection  of  any  changes  to  baseline 
configuration  items  using  the  Oracle  Governance  Risk  and  Compliance  (GRC)  module,  which 
will  be  implemented  in  the  DEAMS  environment  for  Release  2.  (Completed) 

e.  Initiated  a  FISCAM  review  of  internal  controls  and  software  quality.  (ECD:  Sep  12). 

(2)  Recommendation  2.  The  Functional  Manager.  Defense  Enterprise  Accounting  and 
Management  System  Functional  Management  Office: 

a.  Implement  monitoring  procedures  to  identify  inconsistencies  in  the  Defense  Enterprise 
Accounting  and  Management  System  chart  of  accounts  data. 

Concur.  The  DEAMS  FMO  has  implemented  additional  manual  internal  controls  to  identify 
inconsistencies  in  the  COA  data.  As  directed  by  SAF  FM.  all  changes  to  the  COA  are 
documented  and  approved  in  advance  of  any  configuration  changes.  System  level  detail  auditing 
has  since  been  implemented  and  audit  logs  are  reviewed  by  the  DEAMS  FMO  and  provided  to 
SAF/FMP  for  oversight  on  a  recurring  basis.  Also,  the  DEAMS  Executive  Change  Control 
Board  approved  the  implementation  of  the  GRC  tools  in  April  2012.  When  GRC  is 
implemented,  the  manual  controls  will  be  subsumed  with  systemic  controls.  With  GRC.  all 
changes  to  the  COA  will  require  systemically  routed  approvals  (ECD:  Feb  13) 

b.  Determine  whether  the  inconsistencies  in  the  account  data  affected  any  other  Defense 
Enterprise  Accounting  and  Management  System  functional  areas. 
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Concur.  In  November  2011.  the  SAF/FMP  issued  a  Memorandum  for  DoD  IG  statmg:  ‘'A 
careful  assessment  of  the  DEAMS  system  COA  was  performed  by  the  DEAMS  Functional 
Management  Office.  None  of  the  un-authonzed  changes  made  to  the  COA  were  found  to  have 
an  impact  on  the  financial  records  and  account  balances  were  not  affected-'’  This  assessment 
was  based  on  tracing  1,101  general  ledger  accounts  to  the  DEAMS  sub-ledger  s  and  general 
ledger.  (Complete) 

c.  Document  policies  and  procedures  for  modifying  the  Defense  Enterprise  Accounting  and 
Management  System  chart  of  accounts. 

Concur.  The  DEAMS  FMO  and  PMO  have  made  revisions  to  the  DEAMS  Sustainment  Plan 
which  includes  the  configuration  and  maintenance  of  the  system  The  revisions  wer  e  approved 
and  finalized  in  March  2012.  Also,  the  DEAMS  FMO  and  DFAS  will  publish  an  internal 
standard  oper  ating  procedure  (SOP)  to  address  continuity  and  consistency  of  operations  by  the 
end  of  FY2012  that  specifically  identifies  the  policies  and  procedures  for  modifying  the  DEAMS 
COA.  (ECD:  30  Sep  12) 
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